Our IT team is requesting to apply IP restrictions to all System Admins and to force login via VPN to only this group, due their access to sensitive data.

It appears that the IP Restrictions can be applied only by configuring which are allowed, but not to block particular IPs or specific roles/users. Has anyone discovered a workaround using layered security protocols? For example, is it possible to achieve the desired result (access does not require VPN connection for all users except for system admins, which must connect to VPN when offsite) by applying IP restrictions and use SSO configuration to block users, or block access to the site for specific users internally using certificates only accessible when connected to VPN, etc...)?

Add comment

I did see this article, but it doesn't quite match the request of our IT group, unless they would add all IP addresses except those that are of the targeted admins., which seems too difficult to maintain.